1 malware familyExploits CVEs in the wild

TA570

Also known asTA570

TA570 is a Proofpoint-tracked cybercrime threat actor and one of the most active Qbot/QakBot malware affiliates. The actor has been tracked since 2018 and is routinely associated with distributing Qbot via phishing campaigns, including thread hijacking of existing email conversations, malicious attachments, and URLs. TA570 has also used compromised WordPress sites and file-hosting sites to host payloads. The content links TA570 to Qbot/QakBot delivery in campaigns that used Microsoft Office documents and, in 2022, exploitation of CVE-2022-30190 (Follina / MSDT) to infect victims. Reported delivery chains included HTML attachments that reconstructed ZIP archives, disk images containing LNK shortcuts and hidden DLLs, and Word documents that attempted to invoke ms-msdt to download and execute Qbot. TA570 was also observed using more traditional Qbot execution paths via mounted disk images, LNK files, and rundll32-loaded DLLs. TA570 is described as an initial access facilitator / malware distributor in the cybercrime ecosystem. Qbot activity associated with TA570 has been observed preceding follow-on ransomware activity, and the content states Qbot used by TA570 has been observed delivering ransomware including ProLock and Egregor. More broadly, the content places TA570 among groups that enable later-stage intrusions involving tools such as Cobalt Strike and ransomware deployment. A distinctive TA570 characteristic noted in the content is the use of U.S. presidents' names in malware configuration or campaign identifiers, leading to the nickname "presidents" affiliate; examples include identifiers such as obama186, obama187, and obama225. Known alias in the provided content: ta570.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

10 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

3 of 15 tactics10 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1566×3

Phishing

T1566.001×2

Spearphishing Attachment

T1566.002

Spearphishing Link

TA0002

Execution

3 techniques

T1059

Command and Scripting Interpreter

T1059.001×2

PowerShell

T1203×2

Exploitation for Client Execution

T1204

User Execution

T1204.001

Malicious Link

T1204.002

Malicious File

TA0011

Command and Control

1 technique

T1105

Ingress Tool Transfer

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

QakBotSince the Emotet takedown, Proofpoint observed consistent, ongoing activity from The Trick, Dridex, Qbot, IcedID, ZLoader, Ursnif, and many others in our data serving as first-stage malware payloads in attempts to enable further infections, including ransomware attacks.5Jun 14, 2026

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2022-30190FollinaIn the wildEvidence4

On Tuesday 2022-06-07, Proofpoint and various researchers ... reported TA570 Qakbot distribution included Word documents using the CVE-2022-30190 (Follina) exploit (ms-msdt).

IOCS

Observables

67 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

67 IOCsView more in app

hash.sha256

49 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+41

Domains

11 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+3

uri

4 total

••••••••••••••••••••••••••••••••••••••

ip.v4

3 total

•••••••••••••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

security intelligenceNews

Nov 12, 2024

Strela Stealer: Today's invoice is tomorrow's phish

Referenced as a malware distributor associated with stolen-email thread hijacking for phishing delivery.

chainalysis blogNews

May 6, 2024

Examining the Impact of Ransomware Disruptions: Qakbot, LockBit, and ALPHV-BlackCat - Chainalysis

E-crime threat cluster associated with orchestrating Qakbot activity (historically a banking trojan/loader ecosystem).

esentire blogNews

Aug 29, 2022

June 2022 Qakbot Campaign | eSentire

Attributed operator of malspam campaigns delivering Qakbot; observed attempting to exploit Follina in conjunction with Qakbot delivery.

bleeping computerNews

Jun 14, 2022

Microsoft patches actively exploited Follina Windows zero-day

Used Follina (CVE-2022-30190) in phishing campaigns as an initial access vector to deliver Qbot.

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping10

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables67

Domains, IPs, and hashes tied to this actor, refreshed continuously.